On Wed, 14 Dec 2016 09:21:37 -0500 Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote: > On 12/14/2016 09:19 AM, Dave Love wrote: > > Kevin Fenzi <kevin@xxxxxxxxx> writes: > > > >> On Tue, 13 Dec 2016 14:36:06 +0000 > >> Dave Love <d.love@xxxxxxxxxxxxxxx> wrote: > >> > >>> Simo Sorce <simo@xxxxxxxxxx> writes: > >>> > >>>> If you really need to automate it because typing a password is > >>>> too hard: cat ~/.mykrbpassword | kinit myusername > >>> > >>> It needs to be automated principally because the password is not > >>> memorable. I assume infrastructure people would rather we don't > >>> use the least secure credentials we can. > >> > >> I can't speak for others, but the thought of putting your fas > >> password in plain text in some start up file makes me cry. > > > > Yes, but if people can read it and it only has owner access they > > could have stolen the certificate, possibly can steal your ccache, Well, the old koji cert was only good to auth against koji or lookaside upload. Your FAS password could be used to login to your FAS account, change the ssh key (although this sends email) and push changes to git. If you are using the default kerberos cache (the linux kernel keyring), I think it may be possible to copy your tickets to another machine, but it's definitely not trivial (not like scp .fedora.cert). It might require root access also. I am not sure. Does anyone know how it uses the linux kernel keyring here? > > and bets are off. A keytab isn't plain text, but isn't encrypted; > > it's used as "kinit -t <keytab>" with Heimdal and something similar > > with MIT. However, I now can't remember whether you need kadmin > > access to populate it, and don't know if that's available. > > > > You do not; you can manipulate a keytab in your local user space with > `ktutil` Yep. But note that a keytab can easily be copied away to other machines. Which might be an advantage or a disadvantage depending on what you are trying to do. kevin
Attachment:
pgp9guLRxkhut.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
